Security Bulletins

Fixes available for vulnerability in CNI IPv6 route advertisement

Return to List


Fixes available for vulnerability in CNI IPv6 route advertisement

Reference: TTA-2020-001
Date published: 2020-June-1




Clusters using IPv4 may be vulnerable to information disclosure if IPv6 is enabled but unused. A compromised pod with default privilege is able to reconfigure the node’s IPv6 interface and redirect traffic from the node to the compromised pod. This includes traffic to domains that offer an IPv6 address that would otherwise have been reached by IPv4. Upgrade to latest Calico or Calico Enterprise releases to close this vulnerability. An initial severity medium has been given for this vulnerability.

CVE-2020-13597 has been reserved and will be updated with the relevant information.




Affects clusters using Calico, and Calico Enterprise as the CNI plugin. Cloud provider managed clusters may not be affected, please consult cloud provider’s advisory.

An attacker controlled pod with CAP_NET_RAW capability can send “rogue” IPv6 route advertisements to the node’s interface and reconfigure the node’s interface to redirect part or all of the IPv6 traffic to the compromised pod. Being able to intercept traffic to the node may allow the attacker to see sensitive data sent.

More information can be found at:


Affected Releases


  • 3.14.0
  • 3.13.3 or earlier
  • 3.12.1 or earlier
  • 3.11.2 or earlier
  • 3.10.3 or earlier
  • 3.9.5 or earlier
  • 3.8.8 or earlier
  • and all previous versions

Calico Enterprise (3.0 not affected)

  • 2.8.2 or earlier
  • 2.7.4 or earlier
  • 2.6.2 or earlier
  • and all previous versions


Indicators of Impact/Compromise

Presence of unexpected IPv6 routing.


Workaround / Remediation

In order to exploit this vulnerability, a malicious pod must have the CAP_NET_RAW capability, and the host node interfaces have IPv6 route advertisements enabled. You can prevent this by:

Setting all running pods to be non-root and drop CAP_NET_RAW capability using PodSecurityPolicy.

SSH into the host node to manually disable IPv6 route advertisement by setting /proc/sys/net/ipv6/conf/{all,default,interfaces}/accept_ra to 0.


Fixed Software


  • 3.14.1
  • 3.13.4
  • 3.12.2
  • 3.11.3
  • 3.10.4
  • 3.9.6
  • 3.8.9

Calico Enterprise

  • 3.0.0
  • 2.8.3
  • 2.7.5
  • 2.6.3

Return to List